This week, the Cybersecurity and Infrastructure Security Agency (CISA) added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Three of the vulnerabilities need to be remediated by federal civilian agencies before January 24, while the rest have remediation dates of July 10.
CISA said the list is “based on evidence that threat actors are actively exploiting the vulnerabilities” and noted that the vulnerabilities are “a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”
The most urgent additions include a VMware vCenter Server Improper Access Control vulnerability, a Hikvision Improper Input Validation vulnerability and a FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability.
The rest of the list includes vulnerabilities involving Google Chrome, Microsoft Win32K, Microsoft WinVerify, Elastic Kibana, Primetek Primefaces, IBM WebSphere Application Server, Exim Mail Transfer Agent, Palo Alto Networks PAN-OS, Fortinet FortiOS and FortiProxy, Synacor Zimbra and Oracle WebLogic Server.
The Known Exploited Vulnerabilities Catalog was created last year through a binding directive that allowed CISA to force federal civilian agencies to address certain vulnerabilities that are being used by cyberattackers. The first version of the list included 306 vulnerabilities commonly exploited during attacks but has grown since then.
Joshua Aagard, a vulnerability analyst on the Photon Research Team at Digital Shadows, told ZDNet that CISA’s additions are wide-ranging and likely to come with knock-on effects for infrastructure.
“Unauthorized actions and remote execution are cited many times as the consequence of successful exploitation. So are data input via sanitization and proper logical handling,” Aagard said.
“Those I inspected also tend to share a common theme of centralized command or encompass a single point of failure. From an attacker’s perspective, a server console or critical proxy can serve as a Jenga block that brings down all the rest of the accompanying infrastructure.”
The three that stood out most to him were the VMware vCenter Server Improper Access Control vulnerability, the Hikvision Improper Input Validation vulnerability and the FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability.
Aagard explained that the vulnerability in Hikvision CCTV cameras and camera systems relates to a lack of input validation, which leaves servers open to potentially malicious command injection attacks, otherwise known as RCE.
“Full control of the target device can be had via nonrestricted shell at the root level, which even supersedes the designated owner level,” Aagard said.
The FatPipe networks vulnerability affects their WARP, IPVPN, and MPVPN offerings and allows attackers to gain access to an unrestricted file upload function on the servlet at the URL path /fpui/uploadConfigServlet, which can then be used to drop a webshell/fpui/img/1,jsp for access to root and subsequent elevated privileges, according to Aagard.
“Successful exploitation of this vulnerability could lead to pivot access with the internal network. Software versions prior to releases 10.1.2r60p93 and 10.2.2r44p1 are affected by this issue,” Aagard said.
For the VMware vulnerability, a malicious actor with common network access to port 443 on vCenter Server could exploit this issue to perform a bypass and gain access to internal endpoints, Aagard explained.
Netenrich principal threat hunter John Bambenek echoed Aagard’s concern about the VMWare vulnerability, noting that VMWare servers aren’t just one asset and are typically used to control many of the important assets in an organization.
“This vulnerability provides a straightforward path to taking over a vCenter instance and all the assets therein,” Bambenek said. “Another observation is some of these vulnerabilities are quite old (one is from 2013). Why the federal government needs six more months to patch an 8-year-old vulnerability tells me all I need to know about how broken IT security is with the government.”